Privacy Rights Clearinghouse
- What Kind of Information Is Posted Online? Conduct a Privacy Assessment
- Consequences of Not Getting Permission to Post Information
- Transferring Paper Files to Electronic Documents: Do They Belong on the Web?
- Special Considerations for Electronic Mail
- State and Federal Privacy Laws Regarding Online Privacy
- Protecting Personal Information from Hackers
- How to Get Consent from Members
- If Your Group Collects Information about Children
Many clubs, homeowners' associations, parent-teacher associations (PTAs), public interest groups, and religious organizations are finding the Internet to be a powerful way to communicate with members, spread the word on current issues, sign up new members, and much more. It's increasingly common for groups to distribute newsletters by electronic mail and then post them on their web sites. Some organizations offer chat rooms where members and the public can share ideas about current issues and upcoming events.
While each of these uses offers great benefits to nonprofits, they all involve privacy concerns that should be considered when creating an online presence for your organization. The following scenarios tell the story:
Case 1: Paul volunteers evenings and weekends for the local Save the Wetlands organization. He is an engineer for a large housing developer which often is opposed to the activities of this and other environmental organizations. At the office Paul has kept quiet about his involvement. Recently the group decided to distribute its newsletter by e-mail rather than postal mail to save money and to reduce its use of paper. Without consulting the membership, the board also decided to post the newsletter on the organization's web site. Paul's employer inadvertently learned of Paul's volunteer activities when a search engine query found his name online on the club's newsletter. Paul was reprimanded by his supervisor. The unspoken message was that he would have difficulty advancing in the company.
Case 2: Barbara's church offers an online prayer circle on its web site. She submitted a prayer request for her husband, an alcoholic struggling to overcome his dependency. Her request included both her full name and that of her husband, plus details of his addiction and some of the family problems it has caused them. She was not aware that any query of their names on an online search engine could retrieve her prayer request. She was embarrassed when a relative contacted her to offer her sympathy.
Virtually all nonprofits collect information about their members: name, address, home phone number, work phone number, e-mail address, information about dues and contributions, and committee memberships. Some organizations like youth sports clubs obtain dates of birth. And support groups might even obtain highly sensitive information on, say, members' medical status.
Many groups are organized around controversial issues involving the environment, political campaigns, sexual orientation, reproductive rights, religion, adoption, civil liberties, and a host of other public policy issues. Indeed, for every controversial cause there are several nonprofit groups that are organizing around the issue, each with its roster of members and its databases primed for fundraising campaigns.
It's perhaps an understatement to say that the collection of personal information forms the very foundation of a nonprofit's success and effectiveness. But what many organizations fail to realize is the importance of safeguarding such personal information.
Nonprofits have a duty to protect the personal information they collect and keep. But this responsibility is often overlooked until it's too late and a privacy breach exposes members to unwanted attention -- like Paul and Barbara in the hypothetical scenarios above.
What questions should we ask when we perform a privacy assessment?
- What personal information, if any, is posted on the web site? This can include the roster of the entire membership, board members, committee members, top donors, award winners, event planners, and so on.
- What kind of personal information is posted -- name, address, phone number, e-mail address, committee participation?
- Is the organization's newsletter posted on the web site, and if so, does it include individuals' names and other personal information?
- Are names, telephone numbers, and e-mail addresses included in announcements for upcoming events?
- Does the web site post information about those who signed in to attend a recent event or the minutes from meetings?
- Do you list the names of members in captions of photos that your web site posts of, say, your most recent fundraising banquet?
- Do you obtain consent from individuals before posting photos on the web site, whether or not their name is included in the photo caption?
- Do you post the names of those who have donated to your organization?
Well-meaning club leaders often do not realize that there are several ways in which an individual's privacy can be harmed if safeguards are not implemented to protect their personal information.
Here are some unintended consequences of posting personal information to your group's web site:
- Members may be contacted by other organizations that want them to join, possibly resulting in membership migration.
- If yours is a civic organization involved in legislative issues or setting public policy, politicians looking for financial support or endorsements may contact those you list on your site.
- Some members may have personal safety considerations such as a stalking or domestic violence in which they must keep their location a secret.
- Addresses, phone numbers, and e-mail addresses of members might be accessed to pitch commercial products and services.
- Those who disagree with your organization's perspective may harass those whose personal information is posted online.
- Some members, though supportive of your efforts and active in the organization, may not want to be publicly-affiliated with the positions espoused by the organization.
- Members may have an unlisted or unpublished phone number that they want to keep private.
- Posting personal e-mail addresses could cause individuals to receive unwanted e-mail solicitations and spam. If individuals' names are listed in the white pages of the phone book, just posting their name on your web site may enable others to access additional personal information.
- Noting the names and other personal information about donors can lead to unwanted requests for other charitable donations.
- Posting pictures of minors could lure online predators.
You would not want to lose members because of such privacy breaches. Keeping these considerations in mind and getting consent up front about how members want their information to be used will go a long way in keeping your members involved.
When individuals give personal information on paper documents such as registration forms, membership subscription forms, fundraising forms, and event sign-in lists, they may not be aware that their information might end up in electronic files. Often these kinds of paper files are entered into computer databases for easier record keeping.
It's important to keep such data files separate from your web site. Do not make the mistake of posting confidential files on "nonpublic" portions of the web site. Just because there are no public links to such files does not mean that they cannot be found. A simple query on a search engine can retrieve files that you thought were in the background, only accessible to those in the know within your organization. There's a new sport in the hacker community called "google-hacking." Hackers look for documents that are squirreled away in the nonpublic parts of web sites by using generic search terms like "budget," "membership directory," or "confidential." When they find particularly sensitive information, they spread the word, enabling others to do the same.
Transferring personal information from paper files to an electronic format that might be posted to your web site should only be done in consideration of members' and attendees' express wishes. For instance, members may be fine with sharing information with other members via a paper membership directory, but would not want that information to be posted to your web site. Members may not object to having their name printed in a newsletter that is mailed in paper form only to other members, but they may not want to include their name in newsletters that are posted online and read by people outside of the organization. To be safe, get consent for both the print version and the online version.
The person in charge of privacy protection at your organization (yes, every organization should have one) should speak to the editors of all of the club's newsletters about these issues and make sure that they take the necessary steps to safeguard members' privacy. Remember, the Internet is a new technology for many, and your members may not know the full scope of what it means to have their information posted on your web site. A simple query in a search engine can retrieve the names of individuals posted on the most obscure club newsletter. It doesn't matter if the organization has a membership of 50 or several million. Personal names printed in club newsletters and posted on the web are easily found by Internet search engines.
Other ways in which personal information from paper files may end up on the Internet is in the tax, financial, and registration forms your group must file with the IRS and state government agencies. Such forms may require you to list your officers and directors. Others like the IRS Form 990 may require that you disclose employees' names and salaries. Often, organizations will list home addresses of officers, directors, and employees in the paper filings, unaware that these documents are posted on the Internet. We advise that you use your organization's address rather than home addresses.
Another common way that personal information finds its way onto the Internet is via annual reports and minutes of meetings. The best time to deal with the question of including personal information in such documents is when they are first created, not after they are posted to the group's web site.
Photographs of your members at events can be another way in which their privacy may be compromised. This can occur when a member's name is posted in the caption of the photo. In addition, if the individual's name is saved as part of the name of the graphic file, it might be discovered through search engines that locate images.
There are several different types of information that your web site can collect from its visitors, including the Internet Protocol (IP) addresses of web users, their browser information, and information obtained via cookies. Your organization should carefully consider whether it wishes to employ capabilities such as cookies. Such information does not necessarily identify visitors by name. Nonetheless, you should explain how you use such data, if at all. (See PRC Fact Sheet 18, "Online Privacy: Using the Internet Safely" at www.privacyrights.org/fs/fs18-cyb.htm .)
If you obtain personally identifiable information through online application forms, online surveys, interest lists, inquiry forms, and e-mail subscription forms, your policy must also describe what you use that information for, how long it is retained, how it can be updated or removed, and how it is protected from illegitimate access.
Your policy should explain who will have access to any information that is collected such as your web site administrator, organization staff, and board members. The policy should explain if information is shared with third parties or other members and for what purpose or under what circumstances. Providing those who give personal information the opportunity to opt in to the sharing of their information with third parties is a "best practice" that allows them to better control how their information is distributed.
Your policy should note whom visitors can contact with privacy concerns and how long it usually takes your organization to comply with a request for information removal. And don't forget to explain how individuals can access the information that you keep about them.
Should member information areas be password-protected?
You may want to consider having a password-protected section of your web site available only to members, or only to board members. You can use this section to allow members to see photos that members may not want to have viewed by the general public. Having a restricted part of your web site for members only will help keep a club-like feel for your organization, continue the easy communication between members, and yet still protect their privacy. It may also be an incentive for new members to join. One should note, however, that even with restricted access, you should still gain consent from members as to whether they wish to be listed where all other members can view their information.
What is the best way to keep the policy up to date?
Establish a periodic schedule to review your policy to make sure that its contents are still accurate, for instance, at a yearly board meeting or retreat. You will want to address any changes that result from new legislation, for example.
Where can I find sample privacy policies?
Several web sites offer sample privacy policies. Some include policies that are specifically for nonprofits and for web sites that are directed at children. For a list, see Part 10 at the end of this guide.
What if we communicate with members through mass e-mail notices or e-newsletters?
We advise that you obtain consent from members in order to contact them by e-mail. All mass e-mails should contain a functioning opt-out link or address. The person in charge of privacy at your organization should make sure that this link is working and that requests to be taken off the list are promptly addressed. You may also want to include the physical address of your club or organization and the name and e-mail address of the person in charge of any privacy concerns.
What if we post the personal e-mail addresses of members or board members on our web site?
If a personal e-mail address is posted on your site with the "@" sign printed, it is likely to draw unsolicited e-mail advertisements. Though the federal CAN-SPAM Act, which provides guidelines on commercial email, makes it illegal to harvest e-mail addresses from the Internet to send unwanted messages, the practice is still occurring. If members of your organization agree to allow their e-mail addresses to be posted, your organization should try to post them in a form that will not be recognized by "webbots" or "spiders." There are several ways to mask e-mail addresses such as using "(at)" instead of "@."
Are there any privacy laws about handling personal information online?
California computer security breach law. California has a law that affects any company, organization, or government agency that believes its electronic data files with personal information about Californians may have been compromised. In such cases, the organization must send those who are affected a notice about the security breach (California Civil Code Sections 1798.29 and 1798.82-1798.84). You can read about this law at http://www.oag.ca.gov/sites/all/files/pdfs/privacy/recom_breach_prac.pdf? .
The law covers any unauthorized acquisition of [unencrypted] computerized data that compromises the security, confidentiality or integrity of personal information. Personal information that triggers the notice requirement is name (first name or initial and last name) plus any of the following:
- Social Security number,
- Driver's License or California Identification Card number, or
- Financial account number, credit or debit card number (along with any PIN or other access code where required for access to account).
- The type of information that is collected and with whom the information may be shared.
- Whether or not subjects may review and update and/or change the information after it has been collected.
- The date the policy is in effect.
Federal Trade Commission Act. The Federal Trade Commission Act covers all business' unfair trade practices but generally does not cover actions of non-profit organizations, However, a Supreme Court decision found that where there is substantial economic benefit to its members, the site may be deemed commercial and governed by the Federal Trade Commission Act (15 USC 45). (FTC v. California Dental Association 526 U.S. 756 (1999))
How commercial is your site?
In light of the laws explained above, your organization should evaluate how commercial the web site is.
- Does your organization offer its members advantageous insurance policies and preferential financing arrangements?
- Does it engage in lobbying, litigation, marketing, or public relations for the benefit of its members' interests?
- Does it provide members with services such as job placement?
- Does it provide members with seminars, training sessions, or publications at discounted rates?
How can we protect the personal information we collect from hackers?
The short answer to the question is to not store personal information on any computers connected to the Internet.
Providing a secure environment for individuals to purchase goods or membership online is imperative. To be able to do this effectively and securely requires using a Secure Socket Layer
"SSL" encryption certificate. Properly installed, the use of SSL means that the information sent by the individual to your web site will be encrypted enroute. When the web user is on the secure pages of your web site, a yellow padlock is displayed on the task bar at the bottom of the computer monitor.
But using SSL does not guarantee that the data files containing personal information are hacker-proof. It only ensures that when the information is transmitted, it is protected until it gets to its final destination. It's important to make sure that information is safe on the receiving end. If the computer that hosts your web site also stores personal information of those who provide personal information through your site, you may inadvertently be leaving that information open to hacking through the Internet portal. This could subsequently leave member information open to possible identity theft or credit card fraud and could necessitate a security breach notification noted in Part 6.
It is beyond the scope of this guide to explain how to make your web site and computer files hacker-proof. Computer magazines are a good source for current information. And many web sites provide useful advice. Here are two resources, for starters:
- Federal Trade Commission, http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure 
- Net Action's Cyber Security Checklist, http://netaction.org/training/cybersecurity.html .
To gauge a person's privacy preferences, ask them fill out a form when they join. The form should include an opt-in style questionnaire like the following:
What may we include.
|In paper member directory
mailed to members only:
|In member directory posted on web site:|
Tell us what we may say about your donations and volunteer activities.
You may acknowledge me as follows:
|Monetary donations:||(Check Box)||Volunteer activities:||(Check Box)|
|In the paper newsletter mailed to members||In the paper newsletter mailed to members|
|In the e-mail newsletter||In the e-mail newsletter|
|In the newsletter posted on web site||In the newsletter posted on web site|
Please give us additional instructions on how we should handle your personal information.
[Include space for written instructions here.] _________________________________
What kinds of special considerations need to be made for children?
Organizations must be especially vigilant when collecting personal information about and from children. Under the federal Children's Online Privacy Protection Act (COPPA), any web site that knowingly collects information from children under age 13 and does not comply with the law can face serious sanctions, including fines, from the Federal Trade Commission (FTC).
COPPA requires anyone who collects information from children to disclose what type of information is collected and to attempt to gain parental consent. The organization must offer parents access to the information and an opportunity to change or remove the information. (See PRC Fact Sheet 21, "Children's Privacy and Safety on the Internet: A Resource Guide for Parents" www.privacyrights.org/fs/fs21-children.htm .)
While COPPA does not specifically apply to nonprofit organizations, there is case law suggesting that if members of your club gain financial advantage from being members, it may be deemed a for-profit organization under federal law 15 USC 45, the defining statute for "non-profit organization" under COPPA. See the discussion above of commercial sites. FTC v. California Dental Association 526 US 756  (1999).
Moreover, if your club or organization is affiliated with a school, you may face additional requirements under laws such as the Family Educational Rights and Privacy Act. FERPA governs schools that receive federal government funding. The Department of Education's web site has information on FERPA and how to be compliant. www.ed.gov/policy/gen/guid/fpco/ferpa/index.html 
In general, if your organization is geared towards children, it is advisable to err on the side of caution when considering collecting and posting personal information about minors, including photographs.
Federal Laws and Regulations
- Federal laws and U.S. Codes, www.law.cornell.edu/uscode 
- Federal regulations, known as the Code of Federal Regulations (CFR) http://www.gpo.gov/fdsys/browse/collectionCfr.action?collectionCode=CFR 
- Children's Online Privacy Protection Act (COPPA)
16 C.F.R. part 312, www.ftc.gov/ogc/coppa1.htm 
- Federal Trade Commission Act
15 U.S.C. § 45, www4.law.cornell.edu/uscode/15/45.html 
- Family Educational Rights and Privacy Act (FERPA)
20 U.S.C. § 1232g; 34 CFR Part 99,
Federal Trade Commission Publications
- "Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business"
- Other FTC Children's Privacy publications: http://www.business.ftc.gov/privacy-and-security/childrens-privacy 
California State Laws
- Text of state statutes, http://leginfo.legislature.ca.gov/faces/codes.xhtml 
- California Online Privacy Protection Act
California Business and Professions Code § 22575
- Security Breach Notification
California Civil Code §§ 1798.29 and 1798.82-1798.84
California Department of Justice’s Privacy Enforcement and Protection Unit
- "Recommended Practices on Notification of Security Breach Involving Personal Information," http://www.oag.ca.gov/sites/all/files/pdfs/privacy/recom_breach_prac.pdf? 
Privacy Rights Clearinghouse Fact Sheets
- Fact Sheet 12, "A Checklist of Responsible Information-Handling Practices"
- Fact Sheet 18, "Online Privacy: Using the Internet Safely"
- Fact Sheet 21, "Children's Privacy and Safety on the Internet: A Resource Guide for Parents,"
- "Nonprofit Organizations and Privacy: Responsible Mailing List Management" (1995 PRC speech) www.privacyrights.org/ar/listman.htm 
The Privacy Rights Clearinghouse acknowledges the assistance of research associate Alaina Roche, Esq., in developing this publication.